How to: IdentiFi Wireless Appliances - Guest Portal

  • 1
  • 4
  • Article
  • Updated 3 years ago
Here a short overview how to configure a basic wireless guest portal on a IdentiFi Wireless Appliance.

The screenshots are from a C5110 running V9.21.02.0014.

Network diagram:



1) Create a topology
In this example the "Bridge Traffic Locally at EWC" mode is used.
The traffic from the wireless client is transported from the AP via the CAPWAP tunnel to the appliances and out on interface esa1 port with VLAN ID/tag.
DHCP is set to "Local Server" so the appliance will provide the IP addresses and DNS information to the guest clients.



Click "Configure" for the DHCP advanced options to set..
- DNS
- Gateway
- IP Range



2) Create Roles
Add a new role for the unauthenticated guest users (= clients that are connected to the SSID but haven't registered yet via the guest portal page).

Set "access control" to "Containment VLAN" and in the field "VLAN" choose the topology that was created in step 1).



In "Policy Rules" add the following rules to allow certain services to redirect the clients to the portal page.
- the IP of the topology = to access the portal page
- DHCP = for clients to get a IP from the DHCP server
- DNS = to allow name resolution, only if name resolution is allowed the clients will be redirected to the portal
- The reverse direction of the traffic
- Deny all as the last rule
 
!!! In/Out must be set correct and remove the checkmark from AP filtering !!!

In this scenario it would look like...



Add a new role for the authenticated guest users (= clients that are registered via the guest portal with a username/password).

Set "access control" to "Containment VLAN" and in the field "VLAN" choose the topology that was created in step 1).
In this example we allow all traffic to pass so there is no need to add rules in "Policy Rules".
!!! If you'd like to deny certain services add deny rules. !!!



3) Create a WLAN Service
- Set the "Default Topology" to your guest portal topology
- Select the AP that should provide the guest SSID
- In the advanced options it's might be a good idea to select "Block MU to MU traffic" = traffic between guest clients is denied



Leave the privacy settings to "None"



Set the "Mode" to "Guest Portal"



Enabled "WMM", "802.11e" and "Flexible Client Access"



4) Create a Virtual Network
Add a new VNS and select the the "WLAN Service" from 3) and the "Non-Authenticated" and "Authenticated" roles from 2).



5) Create a guest ticket
In the GUI go to > VNS > WLAN Services > guest_portal > Auth&Acc > Configure > Manage Guest Users > Add Guest Account
Add a new ticket to test the guest portal
!!! Don't forget to set the "Enabled" checkmark !!!



6) Test
- Connect the wireless client to the guest_portal SSID
- Check the > Reports > Clients > By VNS > guest portal
○ You should see that the client has a IP of 10.12.5.X and is unauthenticated (= the lock on the left is open/grey)



- Open a web browser and put in any valid webpage address 
!!! Http only, per default https is not allowed !!!
- You should get redirected to the captive portal webpage of the controller
- Put in the username and password and you should have access to the internet



- Check the > Reports > Clients > By VNS > guest portal
○ You should see that the client is now authenticated (=  lock on the left closed/green)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,196 Points 50k badge 2x thumb

Posted 3 years ago

  • 1
  • 4